search

igogo-x86 / HexRaysPyTools

IDA Pro plugin which improves work with HexRays decompiler and helps in process of reconstruction structures and classes
1.41k stars 224 forks source link

Crash with "Recognize Shape" #18

Closed jvoisin closed 6 years ago

jvoisin commented 6 years ago

I've got some code that looks like this:

_DWORD *__cdecl sub_3B460(int a1, int a2)
{
  _DWORD *result; // eax

  result = sub_CD2F0();
  result[25] = sub_3B530;
  result[26] = sub_3B360;
  result[27] = sub_3B3B0;
  result[28] = sub_3B3C0;
  result[29] = sub_3B3D0;
  result[31] = sub_3B430;
  result[24] = sub_3B4D0;
  result[1] = a1;
  result[6] = a2;
  result[2] = a1;
  result[7] = a2;
  return result;
}

HexRaysPyTools is puking a stacktrace when I'm doing right-click → recognize shape on the result variable:

[Warning] Weird virtual table name - sub_3B3C0
Traceback (most recent call last):
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Actions.py", line 411, in activate
    visitor.process()
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Api.py", line 230, in process
    self.apply_to(self._cfunc.body, None)
  File "Z:\home\jvoisin\.wine\drive_c\Program Files\IDA 7.0\python\ida_hexrays.py", line 4458, in apply_to
    return _ida_hexrays.ctree_visitor_t_apply_to(self, *args)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Api.py", line 298, in leave_expr
    self._manipulate(cexpr, obj)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 130, in _manipulate
    member = self.__extract_member_from_pointer(cexpr, obj)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 216, in __extract_member_from_pointer
    return self.__extract_member(cexpr, obj, offset, parents, parents_type)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 258, in __extract_member
    return self._get_member(offset, cexpr, obj, default_tinfo, obj_ea)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 149, in _get_member
    return TemporaryStructure.VirtualTable(offset, obj_ea, scan_obj, self.__origin)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\TemporaryStructure.py", line 246, in __init__
    self.vtable_name, self.have_nice_name = parse_vtable_name(address)
ValueError: too many values to unpack
igogo-x86 commented 6 years ago

1) Does "Scan variable" or "Deep scan variable" produce the same error? 2) Is it possible to attach the file so I could take a look at it? 3) If not than could you please set debug_message_level = 10 in IDA_DIR/cfg/HexRaysPyTools.cfg file, reproduce the error and show log

jvoisin commented 6 years ago 
[DEBUG] Expression var at 0x0003B473 Id - 1 (Api:__manipulate)
[DEBUG] Parsing expression result. Parents - ['asg', 'expr', 'block']   (VariableScanner:__extract_member_from_pointer)
[DEBUG]     Creating member with type _DWORD, set([result : 0x0003B473]), offset - 0    (VariableScanner:_manipulate)
[DEBUG] Expression var at 0x0003B478 Id - 1 (Api:__manipulate)
[DEBUG] Parsing expression result. Parents - ['idx', 'asg', 'expr', 'block']    (VariableScanner:__extract_member_from_pointer)
[DEBUG] Xref processing: 0.008000 seconds passed, storage size - 0.35 MB    (StructXrefs:process)
[DEBUG]     Creating member with type int (__cdecl *)(int a1, void *dest, size_t a3), set([result : 0x0003B478]), offset - 100  (VariableScanner:_manipulate)
[DEBUG] Expression var at 0x0003B47F Id - 1 (Api:__manipulate)
[DEBUG] Parsing expression result. Parents - ['idx', 'asg', 'expr', 'block']    (VariableScanner:__extract_member_from_pointer)
[DEBUG] Xref processing: 0.008000 seconds passed, storage size - 0.35 MB    (StructXrefs:process)
[DEBUG]     Creating member with type unsigned int (__cdecl *)(_DWORD *a1, unsigned int a2), set([result : 0x0003B47F]), offset - 104   (VariableScanner:_manipulate)
[DEBUG] Expression var at 0x0003B486 Id - 1 (Api:__manipulate)
[DEBUG] Parsing expression result. Parents - ['idx', 'asg', 'expr', 'block']    (VariableScanner:__extract_member_from_pointer)
[DEBUG] Xref processing: 0.008000 seconds passed, storage size - 0.35 MB    (StructXrefs:process)
[DEBUG]     Creating member with type int (*)(), set([result : 0x0003B486]), offset - 108   (VariableScanner:_manipulate)
[DEBUG] Expression var at 0x0003B48D Id - 1 (Api:__manipulate)
[DEBUG] Parsing expression result. Parents - ['idx', 'asg', 'expr', 'block']    (VariableScanner:__extract_member_from_pointer)
[Warning] Weird virtual table name - sub_3B3C0
Traceback (most recent call last):
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Actions.py", line 411, in activate
    visitor.process()
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Api.py", line 230, in process
    self.apply_to(self._cfunc.body, None)
  File "Z:\home\jvoisin\.wine\drive_c\Program Files\IDA 7.0\python\ida_hexrays.py", line 4458, in apply_to
    return _ida_hexrays.ctree_visitor_t_apply_to(self, *args)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Api.py", line 298, in leave_expr
    self._manipulate(cexpr, obj)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 130, in _manipulate
    member = self.__extract_member_from_pointer(cexpr, obj)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 216, in __extract_member_from_pointer
    return self.__extract_member(cexpr, obj, offset, parents, parents_type)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 258, in __extract_member
    return self._get_member(offset, cexpr, obj, default_tinfo, obj_ea)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\VariableScanner.py", line 149, in _get_member
    return TemporaryStructure.VirtualTable(offset, obj_ea, scan_obj, self.__origin)
  File "Z:/home/jvoisin/.wine/drive_c/Program Files/IDA 7.0/plugins\HexRaysPyTools\Core\TemporaryStructure.py", line 246, in __init__
    self.vtable_name, self.have_nice_name = parse_vtable_name(address)
ValueError: too many values to unpack
igogo-x86 commented 6 years ago

Okay, now I need to see the beginning of sub_3B3C0 function. Could you show which raw bytes it has? (around 64 first bytes would be enough)

jvoisin commented 6 years ago

sure:

.text:0003B3C0                         ; =============== S U B R O U T I N E =======================================
.text:0003B3C0
.text:0003B3C0
.text:0003B3C0                         sub_3B3C0       proc near               ; DATA XREF: sub_3B460+2D↓o
.text:0003B3C0 B8 01 00 00 00                          mov     eax, 1
.text:0003B3C5 C3                                      retn
.text:0003B3C5                         sub_3B3C0       endp
.text:0003B3C5
igogo-x86 commented 6 years ago

I've made a commit so you can try. By the way Recognize Shape only looks through existing structures and makes an attempt to find suitable. So if structure which I can see on screenshot is not yet reconstructed, then this feature will produce nothing